Amon Ott wrote: > On Don, 12 Apr 2001 Amon Ott wrote: > > Personally, I do believe that a module interface will be insufficient for > > RSBAC, SELinux and some other projects. > This was not precise. A kernel module only interface will be insufficient, > because modules get loaded too late, and we need a lot of information from the > kernel. While this is certainly a valid security issue, to me it just defines this issue as beyond the scope of the linux-security-module (LSM) project. There's no way that LSM can solve all security problems, it's just supposed to enable the loading of a reasonable set of security modules. The problem of a high integrity boot sequence has been studied http://citeseer.nj.nec.com/arbaugh97secure.html The solution is that each "level" in the boot sequence checsum's the next level before starting it, i.e. the boot proms checksum the bios, which checksums lilo, which checksums vmlinuz, which checksums the modules, etc. It is valid work to propose that Linux should have a high integritty boot sequence. It's just not what this project is about. To me, security modules are about keeping the attacker from getting sufficient privilege to mess with your boot sequence. If they can hack your module config and force a reboot, you've already lost, so I'm just not going to worry about it in this context. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:23 PDT